Configuring Identity Service Templates

Identity service
templates contain a set of policy attributes or features that can be applied to
one or more subscriber sessions through a control policy, a RADIUS Change of
Authorization (CoA) request, or a user profile or service profile. This module
provides information about how to configure local service templates for
Identity-Based Networking Services.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see
Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Identity Service Templates

For downloadable service templates, the switch uses the default
password “cisco123” when downloading the service templates from the authentication, authorization, and accounting (AAA) server, Cisco Secure Access Control Server (ACS), or Cisco Identity Services Engine (ISE).
The AAA, ACS, and ISE server must include the password “cisco123” in the service template configuration.

Information About Identity Service Templates

Service Templates for
Identity-Based Networking Services

A service template
contains a set of service-related attributes or features, such as access
control lists (ACLs) and VLAN assignments, that can be activated on one or more
subscriber sessions in response to session life-cycle events. Templates
simplify the provisioning and maintenance of network session policies where
policies fall into distinct groups or are role-based.

A service template is
applied to sessions through its reference in a control policy, through RADIUS
Change of Authorization (CoA) requests, or through a user profile or service
profile. User profiles are defined per subscriber; service profiles can apply
to multiple subscribers.

Identity-Based
Networking Services supports two types of service templates:

Downloadable
Service Templates—The service template is configured centrally on an external
ACS or AAA server and downloaded on demand.

Locally Configured
Service Templates—The service template is configured locally on the device
through the Cisco IOS command-line interface (CLI).

Downloadable Service
Templates

Identity-Based
Networking Services can download a service template defined on an external AAA
server. The template defines a collection of AAA attributes. These templates
are applied to sessions through the use of vendor-specific attributes (VSAs)
included in RADIUS CoA messages received from the external AAA server or ACS.
The name of the template is referenced in a user profile or a control policy,
which triggers a download of the service template during processing.

The downloadable
template is cached on the device and subsequent requests for a download will
refer to the available cached template. The template however is cached only for
the duration of its active usage. The downloaded template cached on the device
is protected and cannot be deleted through the command line interface or
through other applications. This ensures that the template is deleted only when
there are no active references to it.

Locally Configured Service Templates

Service templates can be configured locally through the CLI. These service templates can be applied to subscriber sessions by a reference in a control policy.

When an active local template is updated, changes to that local template will be reflected across all sessions for which the template is active. If a template is deleted, all content from that template that is applied against sessions is removed.

How to Configure Identity Service Templates

Configuring a Local Service
Template

A service template
defines the local policies that can be applied to a subscriber session.
Activate this service template on sessions on which the local policies must be
applied.

SUMMARY STEPS

1.enable

2.configure terminal

3.service-templatetemplate-name

4.absolute-timerminutes

5.access-groupaccess-list-name

6.descriptiondescription

7.inactivity-timerminutesprobe

8.redirect urlurl

9.sgtrange

10.tagtag-name

11.vlanvlan-id

12.sgtsgt-tag

13.end

14.show service-template
[template-name]

DETAILED STEPS

Command or Action

Purpose

Step 1

enable

Example:

Device> enable

Enables
privileged EXEC mode.

Enter your
password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global
configuration mode.

Step 3

service-templatetemplate-name

Example:

Device(config)# service-template SVC_2

Creates a
service template and enters service template configuration mode.

Step 4

absolute-timerminutes

Example:

Device(config-service-template)# absolute-timer 15

(Optional)
Enables an absolute timeout for subscriber sessions.

Step 5

access-groupaccess-list-name

Example:

Device(config-service-template)# access-group ACL_2

(Optional)
Applies an access list to sessions using a service template.

Step 6

descriptiondescription

Example:

Device(config-service-template)# description label for SVC_2

(Optional) Adds
a description for a service template.

Step 7

inactivity-timerminutesprobe

Example:

Device(config-service-template)# inactivity-timer 15

(Optional)
Enables an inactivity timeout for subscriber sessions.

Step 8

redirect urlurl

Example:

Device(config-service-template)# redirect url www.cisco.com

(Optional)
Redirects clients to a particular URL.

Step 9

sgtrange

Example:

Device(config-service-template)# sgt 100

(Optional) Associates a Security Group Tag (SGT) with a service
template.

Example: Service
Template

To activate a
service template on a subscriber session, specify the service template in a
control policy. See “Configuring a Control Policy.”

Configuration Examples for Identity Service Templates

Example: Activating a Service Template and Replace All

Local Service Template Configuration

The following example shows the configuration of a service template defined locally on the device. This template contains attributes that are applied to sessions that use the control policy named POSTURE_VALIDATION, shown below:

Control Policy Configuration

The following example shows a control policy that activates the service template named DOT1X with replace-all enabled. The successfully activated template will replace the existing authorization data and any service template previously applied to the session.

Example: Activating a Service Template for Fallback Service

Local Service Template Configuration

The following example shows the configuration of a service template defined locally on the device. This template contains attributes that are applied to sessions that use the control policy named POSTURE_VALIDATION, shown below:

Control Policy Configuration

The following example shows a control policy that runs authentication methods dot1x and MAB. If dot1x authentication fails, MAB authentication is attempted. If MAB fails, the system provides a default authorization profile using the FALLBACK template.

Control Policy Configuration

The following example shows the configuration of a control policy that uses the template named LOW_IMPACT_TEMPLATE to provide limited access to all hosts even when authentication fails. If authentication succeeds, the policy manager removes the service template and provides access based on the policies downloaded by the RADIUS server.

Standards and RFCs

Standard/RFC

Title

RFC 5176

Dynamic Authorization Extensions to RADIUS

Technical Assistance

Description

Link

The Cisco
Support and Documentation website provides online resources to download
documentation, software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve technical issues with
Cisco products and technologies. Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID and password.

Feature Information for
Identity Service Templates

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Table 1 Feature Information for
Identity Service Templates

Feature Name

Releases

Feature
Information

Identity
Service Template

Enables
identity service templates to be configured locally and available at all times.